W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Oct 2017 15:26:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336172682-1507821961-sysbot+gh@w3.org>
I think Google is proposing a cloud based services that the platform would sent the authenticator generated attestation to and get back a new attestation signed by the cloud service that would then be given ton the RP.   Effectively making multiple authenticators look like a single logical one from a attestation point of view. 

The downside of this is that the service must be highly reliable and contactable by the platform to make credentials.

The flag Google is proposing would let RP opt out of getting a attestation (or get a self signed one from the platform) so that they would have a more reliable user experience.  

If we can't talk them out of an attestation proxy then a flag for No-attestaion/blinded-attestation/authenticator-attestation is probably required as well as the appropriate user dialogs so that you could allow the user to opt into sending the authenticator attestation to there bank or other party if required.   Otherwise we will lock people into not being able to get into some sites at all with specific browsers.  

It is a big change at this stage of the process.

I should also note that the privacy uplift with platform authenticators is probably drowned out by signals from browser fingerprinting.  A authenticator vender would have to a really bad job to have a material impact.    I think the original concern was the attestation in combination with the counter, but I think we can deal with the counter going forward to make it non correlate-able.

The primary reason for the attestation proxy is to keep social web sites from rejecting some types of authenticators based on bad judgement.   The proxy would group authenticators into broad classes and blind the RP to the specifics.    

It seems to me that this is a policy / adoption / marketing issue that has become a technical one.   I don't know if this is the group that should be making that particular decision?

John B.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-336172682 using your GitHub account
Received on Thursday, 12 October 2017 15:26:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC